The Senate version of the fiscal 2011 Defense authorization bill scheduled to be released later this week will include funding for pilot programs that will explore new ways for Defense Department agencies and contractors to gain greater access to cybersecurity tools and services, according to sources from the Armed Services Committee.

Sen. Carl Levin, D-Mich., chairman, announced on May 28 that the committee completed the markup of its version of the Defense bill, which includes funding for projects that require the department to partner with industry to track cyber threats, speed the acquisition of cybersecurity products and services, and integrate information security tools from different software vendors so they function better with one another on agency networks.

The funding would add to the $10 million in the fiscal 2010 supplemental appropriations bill the Senate passed on May 27 for the Defense and Homeland Security departments to conduct cybersecurity pilots, said committee staffers.

"The language in the supplement is fairly broad, giving a lot of discretion for the [Office of the Secretary of Defense] to define what cybersecurity pilots can be done," said one staffer. "We have similar language in the armed services bill, but we also talk about more specific projects."

The first of those projects would be conducted in partnership with DHS, which would lead development of a consortium of major telecommunications companies and Internet service providers that could offer visibility into global networks and give early warnings of potential cyberattacks against federal computer systems.

"If you add up the percentage of the world's traffic that the top 10 [telecommunications companies] see, it's a large percentage," the staffer said. "By combining [that visibility], and figuring out ways to share information in real time with automated tools, you could get a nice picture of what's happening."

A related program would explore ways that Defense could enter into contracts with one or more telecommunications companies to provide managed network security services to its industrial base. A military contractor could outsource security services to a company, which then would monitor the traffic flowing in and out of designated networks.

Two other programs in the bill would seek ways to improve how the department acquires and deploys cybersecurity tools. The first would explore more innovative and less onerous procurement models that Defense could use to quickly acquire the cyber tools and capabilities needed to respond to urgent threats against federal networks. The second would create a framework based on open standards that would integrate security tools from different vendors onto a single platform.

"The idea is to take a building block approach that allows any vendor to come in and integrate their tool into this standards-based framework," said the staffer, who pointed to the Security Content Automation Protocol, which tests computer networks and tools for compliance with a range of security standards, as a model for a framework.

The House version of the authorization bill, which passed on Friday, also charges Defense to explore new ways to address cybersecurity requirements by conducting a pilot program to test how computer security features can be built in to information systems during the development process. The bill would provide $5 million for the program, which would run until October 2015 and require the Defense secretary to submit an annual report on its progress to Congress.

Also in the House bill is a requirement for Defense to assess potential ways that modeling and simulation tools can be used to identify network vulnerabilities and deter malicious activities. The bill requires the Defense secretary to submit to the House and Senate Armed Services committees by Jan. 1, 2012, recommendations on how the tools could be used to strengthen cybersecurity.

FROM OUR SPONSORS

sponsored

JOIN THE DISCUSSION

By using this service you agree not to post material that is obscene, harassing, defamatory, or
otherwise objectionable. Although Nextgov does not monitor comments posted to this site (and has
no obligation to), it reserves the right to delete, edit, or move any material that it deems to
be in violation of this rule.

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

Data-Centric Security vs. Database-Level Security

Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.